Summary: | <sys-firmware/ipxe-1.21.1_p20230601: padding oracle attack vulnerability | ||
---|---|---|---|
Product: | Gentoo Security | Reporter: | John Helmert III <ajak> |
Component: | Vulnerabilities | Assignee: | Gentoo Security <security> |
Status: | IN_PROGRESS --- | ||
Severity: | minor | CC: | tamiko, virtualization |
Priority: | Normal | ||
Version: | unspecified | ||
Hardware: | All | ||
OS: | Linux | ||
Whiteboard: | B4 [glsa? cleanup] | ||
Package list: | Runtime testing required: | --- |
Description
John Helmert III
2022-11-21 16:58:20 UTC
Version 1.21.1 that we have in tree was released in December 2020. The function in question, tls_new_ciphertext(), does not even contain the "if ( is_block_cipher ( ... ) ) { ... }" code block... I am contemplating to simply bump the ebuild to a current snapshot of the github repository. It has seen some activity lately. The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=1112a96564118f3449b46e3d02e47e33663b7587 commit 1112a96564118f3449b46e3d02e47e33663b7587 Author: Matthias Maier <tamiko@gentoo.org> AuthorDate: 2023-06-18 03:31:14 +0000 Commit: Matthias Maier <tamiko@gentoo.org> CommitDate: 2023-06-18 03:46:07 +0000 sys-firmware/ipxe: add 1.21.1_p20230601 - update to a git snapshot from early 2023-06-01 - add efi32 and efi64 use flags for compiling/installing 32bit and 64bit variants of the ipxe.efi binary Bug: https://bugs.gentoo.org/882393 Bug: https://bugs.gentoo.org/888827 Signed-off-by: Matthias Maier <tamiko@gentoo.org> sys-firmware/ipxe/Manifest | 2 + sys-firmware/ipxe/ipxe-1.21.1_p20230601.ebuild | 127 +++++++++++++++++++++++++ sys-firmware/ipxe/metadata.xml | 3 +- 3 files changed, 131 insertions(+), 1 deletion(-) Thanks! Let's stable when ready. (In reply to John Helmert III from comment #3) > Thanks! Let's stable when ready. FWIW, ipxe 1.21.1_p20230601 was added as stable (not sure if intentional or not). Thanks, missed that |